BUIP026: Bounties for Software Exploits
Proposer: Tim Potter (sponsored by Andrew Clifford)
Submitted on: 2017-03-29
Status: passed
Bitcoin Unlimited must produce exceptionally reliable code.
The goal of this proposal is to fund a bounty purse that mimics both the corrective mechanisms and also the high reliability of DNA synthesis by incentivizing the entire community of open source code contributors to search for nuggets.
An example of high precision high reliability code in nature is DNA. The overall error rate is 10^-10 errors per base pair. The error rate of DNA synthesis is 10^-8, but this error rate is corrected with multiple corrective mechanisms that eventually bring the error rate down to 10^-10.
This BUIP proposes an additional tier of code review that is beyond what any development team could reasonably accomplish on its own by adding a simple cash reward mechanism as a highly efficient method of detecting any remaining bugs.
Reward payments are effectively bounties in this context.
A there are two levels of reward available to software developers everywhere:
Identification of an exploit which can remotely bring down a node will earn a reward payment in BTC
- the fault details are emailed to security@bitcoinunlimited.info
- the fault is shown to be effective by the BU dev team.
- the fault is fixed and a public release is available before the exploit is used on main-net.
At any point after software is merged into the principal branches this becomes active:
The reward for a fault in the release version is $2000, equivalent in BTC, regardless of how long the fault has been present. The reward for a fault in the dev version is $3000, equivalent in BTC, provided the fault has been in the dev version for 60 days. The reward values will be subject to periodic review.
Any general faults and bugs in the current release version can be notified to the Bitcoin Unlimited lead Developer who will make an assessment about the seriousness and can propose a cash payment of up to $1000. This is subject to discussion and approval of other BU officers, however, the recommendation of the Developer will normally be accepted.
Hackerone. A reward for exploits to be advertised there on a similar basis as above.
Total bounty pool is $20,000 after which it will be necessary to return to the membership with a BUIP to top-up the funds.
Any additional feedback is appreciated.